[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
From: Kurt@OpenLDAP.org
Date: Wed, 16 Apr 2008 16:06:26 GMT

On Apr 16, 2008, at 7:58 AM, pere@hungry.com wrote:
> Full_Name: Petter Reinholdtsen
> Version: 2.1.30
> OS: Debian GNU/Linux Etch
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:700:100:6:213:72ff:fe93:c639)
>
>
> I ran into this problem when trying to use nss-ldapd with LDAP
> from an Microsoft Active Directory server.  The problem only appear  
> if there
> are more than 1500 members in a group.  When there are fewer than  
> 1500 members,
> the result from the LDAP server look like this:
>
>  member: CN=user1,OU=Elever,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
>  member: CN=user2,OU=Ansatte,OU=ULS,OU=VG,OU=Skoler,DC=SKOLEN,DC=LOCAL
>
> This is properly handled by ldap_get_values(), and the nss-ldapd  
> module work
> properly.  For groups with more than 1500 members, the result from  
> the LDAP
> server
> look like this:
>
>  member;range=0-1499:
> CN=user1,OU=Elever,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL
>  member;range=0-1499:
> CN=user2,OU=Ansatte,OU=OVO,OU=VO,OU=Skoler,DC=SKOLEN,DC=LOCAL
>
> This notation is not handled by ldap_get_values(), and it return  
> NULL, resulting
> in
> a group with zero members.

This is proper and well-intended behavior.  You asked for values of  
returned under the attribute description "member", not the (invalid)  
attribute description "member;range=0-1499".  Two attribute  
descriptions which share the same attribute type do not necessarily  
refer to the same attribute.

> Is there a way to parse such "paged" attributes
> using
> the openldap library, and could ldag_get_values() be changed to  
> handle these?
>
> Is the range= notation legal LDAP notation?

No.  Attribute description options cannot contain equal signs.  See  
RFC 4512.

> I have been unable to find
> information
> about this in any RFC, but our resident LDAP expert mentioned that  
> it could be
> according to some extention specification.

Microsoft might offers some specification for this crap.  But I note  
that it's an improper extension as extensions should be truly optional  
(per RFC 4521 and common sense).

> Have not been able to find
> information
> about it.
>
> To get the rest of the members I have to ask for attribute  
> 'member;range=1500-*'
> and
> repeat this until the result show for example 'range=6000-*' to  
> indicate that
> this is the last batch of members.


If you want to implement this crap, you can do so without additional  
support from LDAP API.  Use ldap_first/next_attribute API.

-- Kurt

Prev by Date: Re: (ITS#5470) Sporadic failures with RE24
Next by Date: (ITS#5473) double-free in test030
Index(es):
- Chronological
- Thread